The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2015-3983 is for the issue with not setting the HTTPOnly flag.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Pacemaker_configuration_system | Fedora | * | 0.9.137 (including) |
| Red Hat Enterprise Linux 6 | RedHat | pcs-0:0.9.123-9.el6_6.2 | * |
| Red Hat Enterprise Linux 7 | RedHat | pcs-0:0.9.137-13.el7_1.2 | * |